VPN Tech: Don't Write Off IPSec Just Yet

VPNs are everywhere, and it's not hard not figure out why. Connecting branch offices to corporate networks used to involve expensive leased lines, while connecting remote workers (or small branch offices) required dialing in to remote access servers. But now that fast broadband connections to the public network are ubiquitous, virtual private networking (VPN) technologies provide a fast and low cost alternative by creating a secure tunnel between two points connected to the Internet, through which encrypted data can pass.

In the past the VPN market has been dominated by suppliers of IPSec-based VPNs, but newer Secure Sockets Layer (SSL) (define) VPNs are becoming increasingly common. If you believe the hype you might well think that SSL-based VPNs are about to sweep away IPSec technology (define).

A moment's reflection is all that's needed to realize that in fact this is not about to happen. Why? Because for this to take place, SSL VPNs would have to be so superior to IPSec ones as to make the latter redundant. And this is simply not the case. "Inertia is a powerful force," says Michael Suby, an analyst at Stratecast Partners. "You won't see large scale replacement of IPSec VPNs with SSL-based ones in the near future because if an IPSec based one works then companies are not going to throw it away."

The most sensible way to look at IPSec and SSL VPNS is as complementary, or at least overlapping, solutions, rather than competing ones. The two technologies are different, and have different pros and cons. They are, therefore, suited to different environments.

To summarize briefly, an IPSec-based VPN works by securing IP packets which are transmitted between a remote network or computer and a dedicated IPSec gateway box at the entrance to a corporate network. It provides safe access, in other words, to an entire corporate network. SSL VPNs, on the other hand, work by securing data streams from applications between remote users and an SSL gateway box – connecting end users with applications on a corporate network.

The upshot of this, says Robert Whiteley, an analyst at Forrester Research, is that both SMBs (small and medium sized businesses) and enterprises are likely to retain IPSec based VPNs for site to site connectivity – where leased lines might previously have been used – while adopting SSL based VPNs for providing new remote access. 2005 will be the year that SSL gains widespread adoption, he believes – though not at the expense of IPSec. "IPSec is definitely alive and well, and very healthy for site to site communications," he says. "We have seen growth in the number of organizations deploying IPSec VPNs over ADSL and even satellite, and one of the major reasons for that is the growth in all in one security devices, particularly from Juniper, and from Cisco with their integrated services routers."

Why is SSL preferred for remote access? A key difference between the two types of VPN is that while IPSec relies on the existence of VPN client software on each remote user's machine, SSL is incorporated into virtually every computer in the world in a browser. SSL is, therefore, effectively "clientless". This has huge potential benefits for companies wishing to allow secure remote access. Every network administrator will understand the problems associated with trying to install, configure and support a client application on employees home computers, and installing software on machines belonging to other companies – where consultants may be based for short periods of time – is not normally possible.

SSL is therefore opening up a whole new area for VPNs: remote access where an IPSec VPN would be impractical because the access device is unmanaged. "SSL is now capable of acting as a IPSec substitute, but as recently as a year ago this was really not the case because they were not mature enough from an application compatibility standpoint," says Whiteley. "Some applications, especially home grown ones, wouldn't work with SSL in the past, but most vendors have now found a way to address that."

From a management point of view, it was also hard to add applications to an SSL VPN, but this is now much easier, and security – a crucial point for most organizations – is not a particular issue with SSL VPNs as they are generally about as secure as IPSec ones. "So if users want to connect from home, or from a PDA (which can't run an IPSec client), or from an Internet kiosk, now they can. This is where I think the growth in SSL based VPNs will come from – not from substitution from IPSec based ones."

SSL and IPSec VPNs are not the whole story, of course: many companies are investigating or deploying managed VPNs based on MPLS (multi-protocol label switching) networks. But much of the growth in the VPN market over the coming months is likely to be driven by SSL VPNs sales to provide new categories of users with remote access. It's worth remembering, though, that roughly half of all large organizations are still using IPSec VPNs to provide remote access, and are likely to continue to do so for the foreseeable future. A similar number use IPSec for site to site connectivity. The truth is that news of the imminent death of IPSec technology has been greatly exaggerated.